1 CLAIMS 

<^Jlj2 1- A network address translating gateway connecting a LAN to an extern^ 

3 network, said LAN using local IP addresses, said gateway having a local IP addre^that 

4 can be seen by devices on said LAN and having an external IP address that c^n be seen 

5 by devices on said external network, said gateway comprising / 

6 a plurality of internal tables associating combinations of local I ^addresses of local 

7 devices on said LAN, external IP addresses of external devices on/said external network, 

8 SPI-ln values, SPI-Out values, source port addresses, destination port addresses, 

9 reserved port addresses, and maintaining a list of reserv^a port addresses, 

fd means for performing normal address translation jpon datagrams passing from said 

%{ LAN to said external network and datagrams passing from said external network to said 

l2 LAN, / 

is! / 

\2 means for delivering a datagram from a local device on said LAN to an external 

14 device on said external network by receiving a datagram from a local device on said LAN 

f 5 intended for delivery to an exterrfal device on said external network, and determining 

ii whether said datagram is enofypted and, if said datagram is encrypted, for determining 

'•Z / 

17 whether the SPI of said diagram is recorded in the SPI-Out field in said internal table and, 

18 if said SPI is recorded in said SPI-Out field, modifying the source IP address of said 

19 datagram to be sala external IP address of said gateway and passing said datagram to 

20 said external network for routing and delivery to said external device, 

21 anpnf said SPI is not recorded in said SPI-Out field of said internal table, setting the 

22 SPI-lpffield corresponding to the local IP address of said local device equal to zero and 

23 setting said SPI-Out field equal to said SPI, modifying said source IP address of said 
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datagram to be said external IP address of said gateway and passing said datagrar^to 
said external network for routing and delivery to said external device, 

and if said datagram is not encrypted, determining whether the deviation port 
address for said datagram is included in said list of reserved port addp^sses and, if said 

5 destination port address is not included in said list of reserved port^ddresses, performing 

6 normal address translation upon said datagram and passing s^rld datagram to said external 

7 network for routing and delivery to said external device, 

8 and if said destination port address is in£jfuded in said list of reserved port 

9 addresses, determining whether said destination port address is bound to said local IP 

i | address of said local device, and if said destination port address is bound to said local IP 
f;f address, performing normal address/translation upon said datagram and passing said 

12 datagram to said external netwoi^cfor routing and delivery to said external device, 

13 and if said destinatiorvport address is not bound to said local IP address of said 

14 local device, modifying s^id source IP address of said datagram to be said external IP 
f 5 address of said gateway, binding said destination port address to said local IP address of 

ii said local device and creating an association between said destination port address and 

1 7 the external IP^ddress of said external device, and passing said datagram to said external 

18 network for/outing and delivery to said external device, 

19 means for delivering a datagram from said external device to said local device by 

20 receiving a datagram from said external device on said external network intended for 

21 delivery to said local device on said LAN, 

22 / determining whether said datagram is encrypted and, if said datagram is encrypted, 

23 ' determining whether the datagram's SPI is recorded in said SPI-ln field of said internal 
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table and, if said SPI is recorded in said SPI-ln field, modifying the destination IP address 
of said datagram to be said local IP address of said local device and passipg said 
datagram to said LAN for routing and delivery to said local device, 

4 and if said SPI is not recorded in said SPI-ln field of said internaLia'ble, determining 

5 whether said SPI-ln field corresponding to said IP address of said/external device is equal 

6 to zero and, if said SPI-ln field is not equal to zero, discarding said datagram, 

7 and if said SPI-ln field is equal to zero, setting said SPI-ln field equal to said SPI, 

8 modifying the destination IP address of said datagram to be said local IP address of said 

9 local device and passing said datagram to said LAN for delivery to said local device, 

fl and if said datagram is not encrypted, determining whether the destination port 

tjj address for said datagram is included in said list of reserved port addresses and, if said 

f| destination port address is not included in said list of reserved port addresses, performing 

l5 normal address translation \japon said datagram and passing said datagram to said LAN 

1i# for delivery to said local/device, 

fl and if said destination port address is included in said list of reserved port 

ti addresses, determining whether said destination port address is bound to the local IP 

1 7 address of saia local device, if said destination port address is not bound to said local IP 

18 address, discarding said datagram, 

1 9 dnd if said destination port address is bound to said local IP address, modifying said 

20 destination IP address of said datagram to be said local IP address of said local device, 

21 unbinding said destination port address from said local IP address, and passing said 

22 / datagram to said LAN for delivery to said local device. 
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2. The network address translating gateway of claim 1, further comprising/a 
timer, wherein, upon receiving a signal that a port address has become bound te^an IP 
address, said timer will commence timing for a predetermined length of time ana, upon the 
expiration of said predetermined length of time, will send a signal causing s^id port address 
to become unbound from said IP address, and, upon receiving a signal indicating that said 
port address has become unbound from said IP address priopao the expiration of said 
predetermined length of time, said timer will stop timing and will reset. 

3. The network address translating gateway of claim 1 in which said external 
network is the internet. / 

4. The network address translatir^gateway of claim 3 in which said LAN is a 
virtual private network. / 

5. A method of processing/IP datagrams from a local device on a LAN using 
local IP addresses through a netyfork translating gateway to an external device on an 
external network comprising th£ steps of 

maintaining a plurality of tables associating local IP addresses of local devices on 
said LAN, external IP ^ddresses of external devices on said external network, port 
addresses of said loral devices, port addresses of said external devices, SPI-in values, 
SPI-out values, and reserved port addresses, and a list of reserved port addresses, 

receiving a datagram from said LAN 

determining whether said datagram is encrypted and, if said datagram is encrypted, 
deternrfning whether the SPI in said datagram is recorded in the SPI-out field of one of said 
plurality of internal tables and, if said SPI is recorded in said SPI-out field of said internal 



ble, modifying the source IP address to be the external IP address of said gateway and 
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1 passing said datagram to said external network for routing and delivery to said extern^ 
device, / 

and if said SPI is not recorded in said SPI-out field of said internal table^ning said 

4 SPI-out field corresponding to the IP address of said external device equal to'said SPI and 

5 setting the SPI-in field of said internal table to zero, modifying said spdrce IP address to 

6 be said external IP address of said gateway, and passing said datagram to said external 

7 network for routing and delivery to said external device, / 

8 and if said datagram is not encrypted, determining whether the destination port 

9 address for said datagram is included in said tat^of reserved port addresses and, if said 
fd destination port address is not included m said table of reserved port addresses, 
tit performing normal address translation uf^on said datagram and passing said datagram to 
1 S 2 said external network for routing apra delivery to said external device, 

1=3 and if said destination/port address is included in said table of reserved port 

f3 addresses, determining whether said destination port address is bound to an IP address, 

f§ and if said destination port is bound to an IP address, performing normal address 

ii translation upon saffd datagram and passing said datagram to said external network for 

17 routing and delivery to said external device, 

18 and ifsaid destination port address is not bound to an IP address, modifying said 

19 source \f address to be said external IP address for said external device, binding said 

20 destination port address to the local IP address of said local device and creating an 

21 association between said destination port address and said external IP address of said 

22 external device, and passing said datagram to said external network for routing and 

23 delivery to said external device. 
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1 6. A method of processing IP datagrams from an external device on an exte^al 

Cpfas 2 network through a network translating gateway to a local device on a LAN usin^local IP 
addresses, comprising the steps of / 

4 maintaining a plurality of tables associating local IP addresses of ^cal devices on 

5 said LAN, external IP addresses of external devices on said exj^rnal network, port 

6 addresses of said local devices, port addresses of said extemaKaevices, SPI-in values, 

7 SPI-out values, and reserved port addresses, and a list of reserved port addresses, 

8 receiving a datagram from said external network/ 

9 determining whether said datagram is encryojed and, if said datagram is encrypted, 
f dj determining whether the SPI in said datagram i^recorded in the SPI-in field of one of said 

11 plurality of internal tables and, if said SPI is recorded in said SPI-in field of said internal 

12 table, modifying the destination IP address to be the internal IP address of said local 
\% device and passing said datagram tef said LAN for routing and delivery to said local device, 
)4 and if said SPI is not recorded in said SPI-in field of said internal table, determining 
f % whether said SPI-in field copresponding to the IP address of said external device is zero, 
It and if said SPI-in field ismot zero, discarding said datagram, 

17 and if said SBl-in field is equal to zero, modifying said SPI-in field to be said SPI, 

18 modifying said destination IP address to be said local IP address of said local device, and 

19 passing said datagram to said LAN for routing and delivery to said local device, 

20 and if said datagram is not encrypted, determining whether the destination port 

21 address/For said datagram is included in said list of reserved port addresses, and if said 

22 destination port address is not included in said list of reserved port addresses, performing 
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normal address translation and passing said datagram to said LAN for routing and deliv^ 
to said local device, 

and if said destination port address is included in said list of respfved port 
addresses, determining whether said destination port address is bound tofsaid local IP 

5 address, and if said destination port is not bound to said local IP address, discarding said 

6 datagram, 

7 and if said destination port address is bound to said locaLIf* address, modifying said 

8 destination IP address to be said local IP address of samocal device, unbinding said 

9 destination port address from said local IP address, ^md passing said datagram to said 
tS LAN for routing and delivery to said local device., 

|jj 7. The method of processing IP/datagrams as claimed in claim 5, further 

12 comprising the steps of starting a timer wKenever said destination port address becomes 

13 bound to said local IP address of sara local device, 

jft resettling said timer wheprever said destination port address has become released, 

jit> and sending a signamhenever said timer is active and a predetermined length of 

jl|> time has expired from tHe time said timer was started. 

17 8. The nrtethod of processing IP datagrams as claimed in claim 6, further 

1 8 comprising the steps of starting a timer whenever said destination port address becomes 

19 bound to saha local IP address of said local device, 

20 resettling said timer whenever said destination port address has become released, 

21 yand sending a signal whenever said timer is active and a predetermined length of 

22 tirr)£ has expired from the time said timer was started. 
23 
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9. The method of processing IP datagrams as claimed in claim SJa^ich said 
external network is the internet. 

10. The method of processing IP datagrpw^as claimed in claim 6, in which said 
external network is the internet. 

1 1 . The method of^rfScessing IP datagrams as claimed in claim 5 in which said 
LAN is a virtual priyate network. 

VL/\ he method of processing IP datagrams as claimed in claim 6 in which said 
LAN is a virtual private network. 



34 



